Welcome to the Slackware Documentation Project

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revision Both sides next revision
howtos:network_services:openvpn [2013/12/31 11:38 (UTC)]
chrisabela
howtos:network_services:openvpn [2018/03/02 00:04 (UTC)]
bifferos Add a note that 'daemon' can initially be left out.
Line 70: Line 70:
 <​code>​ <​code>​
 # cd # cd
-# git clone git://​github.com/​OpenVPN/​easy-rsa+# git clone http://​github.com/​OpenVPN/​easy-rsa
 </​code>​ </​code>​
  
Line 144: Line 144:
 === 5.2.1 Sign the Client'​s request on the Server === === 5.2.1 Sign the Client'​s request on the Server ===
  
-For the purpose of this article, it is assumed that the Client'​s request file (client1.req) been transferred to the $HOME/​openvpn/​ directory of the Server. Now you can proceed to import and sign the client1 request:+For the purpose of this article, it is assumed that the Client'​s request file (client1.req) ​has been transferred to the $HOME/​openvpn/​ directory of the Server. Now you can proceed to import and sign the client1 request:
  
 <​code>​ <​code>​
Line 168: Line 168:
 # cp $HOME/​easy-rsa/​easyrsa3/​pki/​private/​server1.key \ # cp $HOME/​easy-rsa/​easyrsa3/​pki/​private/​server1.key \
 > /​etc/​openvpn/​keys/​ > /​etc/​openvpn/​keys/​
 +</​code>​
 +
 +If you want to run the server as a daemon on system boot, it's necessary to remove the pass-phrase from the server1.key file first. ​ Don't forget to set permissions on the key to avoid it being world-readable.
 +
 +<​code>​
 +# cd /​etc/​openvpn/​keys
 +# openssl rsa -in server1.key -out tmp.key
 +# mv tmp.key server1.key
 +# chmod 600 server1.key
 </​code>​ </​code>​
  
Line 183: Line 192:
  
 <​code>​ <​code>​
-# cp openvpn-2.3.2/​sample/​sample-config-files/​server.conf \+# cp openvpn-*/​sample/​sample-config-files/​server.conf \
 > /​etc/​openvpn/​ > /​etc/​openvpn/​
 </​code>​ </​code>​
Line 230: Line 239:
 daemon daemon
 </​code>​ </​code>​
 +
 +<​note>​It may be useful to leave off the '​daemon'​ option while getting things up and running so you can see useful messages in the foreground.</​note>​
  
 My full server.conf is the following: My full server.conf is the following:
Line 597: Line 608:
 ===== 7. Port Forwarding ===== ===== 7. Port Forwarding =====
  
-YYou will need to forward traffic from the port you have chosen for Openvpn to be routed to the Server. To accomplish this you will need to provide your Server with a fixed IP and you will need to configure your router. You may use netconfig, wicd or network-manager to set the fixed IP on Slackware. Then you also need to consult the documentation provided with your router to set up the selected IP address reserved for the Server, and the port forwarding. For our default Openvpn set up, the UDP Port would be 1194. +You will need to forward traffic from the port you have chosen for Openvpn to be routed to the Server. To accomplish this you will need to provide your Server with a fixed IP and you will need to configure your router. You may use netconfig, wicd or network-manager to set the fixed IP on Slackware. Then you also need to consult the documentation provided with your router to set up the selected IP address reserved for the Server, and the port forwarding. For our default Openvpn set up, the UDP Port would be 1194. 
  
 In case if you have misplaced such documentation,​ you may search on the Internet on how this may be achieved. A good place to start is http://​portforward.com/​. In case if you have misplaced such documentation,​ you may search on the Internet on how this may be achieved. A good place to start is http://​portforward.com/​.
Line 644: Line 655:
 <​note>​Note that comments in client.conf may be either # or ; The former are used to comment out text while the latter are for commented out configuration lines. This should help you a lot in the configuration process.</​note>​ <​note>​Note that comments in client.conf may be either # or ; The former are used to comment out text while the latter are for commented out configuration lines. This should help you a lot in the configuration process.</​note>​
  
-You will need the this files that were generated by the Client'​s easy-rsa scripts:+You will need this file that were generated by the Client'​s easy-rsa scripts:
  
 <​code>​ <​code>​
Line 922: Line 933:
 push "route 192.168.200.0 255.255.255.0"​ push "route 192.168.200.0 255.255.255.0"​
  
-client-config-dir ccd +client-config-dir ​/​etc/​openvpn/​ccd 
 route 192.168.1.0 255.255.255.0 ​ route 192.168.1.0 255.255.255.0 ​
  
Line 932: Line 943:
  
 Naturally replace 192.168.200.0 255.255.255.0 with the Server'​s Network Route, and  192.168.1.0 255.255.255.0 with the Client'​s Network Route. Naturally replace 192.168.200.0 255.255.255.0 with the Server'​s Network Route, and  192.168.1.0 255.255.255.0 with the Client'​s Network Route.
 +208.67.222.222 and 208.67.220.220 are the OpenDNS IP addresses.
  
-208.67.222.222 and 208.67.220.220 are the OpenDNS IP addresses. ​Up to now the DNS push configuration has not been successful. You can either use the original Client DNS servers or else you may edit /​etc/​resolv.conf manually. ​However ​it is still worth trying to use the DNS servers listed by the Client, I find that they are generally still be available ​from the Server'​s Network, so you would not need to do anything.+<note warning>Up to now the DNS push configuration has not been successful.</​note>​ 
 + 
 +You can either use the original Client DNS servers or else you may rewrite ​/​etc/​resolv.conf manually
 + 
 +<​code>​ 
 +# OpenDNS Servers 
 +nameserver 208.67.222.222 
 +nameserver 208.67.220.220 
 +</​code>​ 
 + 
 +According to your routing table however, ​it is still worth trying to use the DNS servers listed by the Client, I find that they are generally still available, so you would not need to do anything. However do be aware of possible DNS leaks if you are concerned about your privacy. 
 + 
 +Some users have reported that their Client'​s Network Manager, (or any other similar application) re-wrote the original /​etc/​resolv.conf back after their manual editing. This could not be reproduced by the author of this article (yet), but you may consider installing and configuring openresolv(5) if this actually happens to you. A SlackBuild for openresolv may be found on http://​slackbuilds.org. Openresolv is currently out of the scope of this article.
  
 Next you will have to configure some iptables NAT forwarding on the Server (only). You can do this by first flushing the iptables: Next you will have to configure some iptables NAT forwarding on the Server (only). You can do this by first flushing the iptables:
Line 999: Line 1023:
   #$IPT -A SERVICES -p tcp --dport 22 -j ACCEPT # Uncomment to allow sshd   #$IPT -A SERVICES -p tcp --dport 22 -j ACCEPT # Uncomment to allow sshd
  
-  # allow openvpn for the non-default ​tcp port 443 +  # allow openvpn for the default ​udp port 1194 
-  $IPT -A SERVICES -p tcp --dport ​443 -j ACCEPT+  $IPT -A SERVICES -p udp --dport ​1194 -j ACCEPT
   ​   ​
   echo "​done."​   echo "​done."​
Line 1127: Line 1151:
  
 (4) http://​www.no-ip.com (4) http://​www.no-ip.com
 +
 +(5) http://​roy.marples.name/​projects/​openresolv/​index
  
   * Originally written by [[wiki:​user:​chrisabela | Chris Abela]]   * Originally written by [[wiki:​user:​chrisabela | Chris Abela]]

In Other Languages
QR Code
QR Code howtos:network_services:openvpn (generated for current page)